Skip to main content
Mallory
Back to malware
MalwareRansomware

GhostSocks

GhostSocks is a Go-based proxy malware, also described as a Malware-as-a-Service offering, that converts compromised Windows home and office devices into residential SOCKS5 proxy nodes. It is used to route attacker traffic through victim systems, masking malicious activity behind the victim’s IP address and device context. Reporting states GhostSocks was marketed on the Russian-language underground forum xss[.]is and later partnered with LummaC2/Lumma Stealer, with recent LummaC2 versions able to deploy GhostSocks as a reverse/backconnect proxy component.

Observed capabilities include creation of SOCKS5 residential proxies, proxying of network traffic, TLS-wrapped relay traffic, dynamic command-and-control updates after check-in, and in some reporting, backdoor functionality for arbitrary command execution and payload delivery. Newer variants have been observed using HTTPS and TLS 1.3 over SOCKS5, while older samples used HTTP. GhostSocks can persist via Windows registry Run keys and may execute persistence commands with PowerShell. SpyCloud reported that GhostSocks binaries contain static embedded configuration data including C2 nodes, affiliate information, build version, and SOCKS5 proxy credentials; some values are obfuscated and the configuration sent during check-in is XOR-encrypted with the key "config." Huntress reported a sample copying itself to %AppData%\Microsoft\Windows\Cache\update.exe, storing encrypted helper IP data in %AppData%\config, and creating persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run{BackgroundTask}. Huntress also noted a debug mode triggered with the --johnpidar argument.

GhostSocks has been repeatedly observed as a secondary payload alongside Vidar infostealer in fake AI-tool and developer-tool lures hosted on GitHub and surfaced through search poisoning, malvertising, and fake repositories. Documented lures include fake DeepSeek V4 repositories, fake Claude Code leak repositories, fake OpenClaw installers, and related AI-branded archives such as TradeAI.exe, OpenClaw_x64.7z, WormGPT_x64.7z, and DeepSeekAI_agent_x64.7z. In these campaigns, Rust-based droppers or loaders installed Vidar to steal credentials and GhostSocks to turn infected devices into proxy infrastructure. Reporting also links GhostSocks activity to LummaC2 operations and notes prior use by Black Basta.

The malware’s operational value is that attacker traffic originates from the victim’s residential or office connection, which can help evade anti-fraud systems, geographic restrictions, and controls tied to IP reputation or same-device fingerprinting. Multiple sources specifically note potential abuse against Google cookie-based access controls and financial-service protections.

High-confidence infrastructure and indicators mentioned in the reporting include T1 C2 IPs 46.8.232.106, 46.8.232.61, 91.212.166.91, 91.212.166.9, 147.45.196.157, 38.180.61.247, 195.2.70.38, 91.142.74.28, 188.130.206.243, 38.180.205.164, and 93.185.159.253; T1 relay IPs 185.245.106.67, 185.121.233.152, 77.238.237.190, 185.157.213.253, 195.200.28.33, 185.21.13.144, 212.34.130.72, and 195.200.31.22; helper URLs hxxps://147[.]45[.]197[.]92:443 and hxxps://94[.]228[.]161[.]88:443; and additional GhostSocks-linked indicators retreaw[.]click, 159.89.46[.]92, 86.54.24[.]29, and www.lbfs[.]site.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

19 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583.001DomainsEvidence1

Malware actors were playing a fourth game: opportunistic distribution. Fake repositories dressed as leaked Claude Code delivered Vidar v18.7 and GhostSocks to anyone who downloaded them.

T1608.006SEO PoisoningEvidence1

Search engines increased the exposure of the malicious repository ... The repository’s llms.txt and topic taxonomy were designed to be discovered by both classical search engines and large-language-model-powered search.

Initial Access

3 techniques
T1189Drive-by CompromiseEvidence3

For web searches such as “DeepSeek v4 weights GitHub,” the malicious repository and its forks were positioned among top results, at times appearing ahead of official references like the Hugging Face release page.

T1195Supply Chain CompromiseEvidence1

The widespread availability of the proprietary code has created a massive vector for supply chain attacks. Cybercriminals are now actively weaponizing this incident, creating malicious forks designed to compromise developer workstations.

T1566.002Spearphishing LinkEvidence3

This was a campaign that used DeepSeek’s name as a lure, not a compromise of legitimate DeepSeek code or accounts.

Execution

4 techniques
T1059Command and Scripting InterpreterEvidence1

Beyond routing attacker traffic through residential connections, it also includes a backdoor component that allows operators to run arbitrary commands and deploy additional malicious payloads on infected systems.

T1059.001PowerShellEvidence1

GhostSocks executes this command with PowerShell, which means defenders should be on the lookout for the above command string as it could be indicative of a GhostSocks infection.

T1204User ExecutionEvidence1

A malicious GitHub repository published by idbzoomh uses the Claude Code exposure as a lure to trick people into downloading malware... Once it's executed, the malware drops Vidar v18.7 and GhostSocks onto users' machines.

T1204.002Malicious FileEvidence7

Fake repositories dressed as leaked Claude Code delivered Vidar v18.7 and GhostSocks to anyone who downloaded them.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence2

This mechanism, which can be viewed below and leverages registry run keys, allows for GhostSocks infections to survive restarts, allowing for a more long-lasting proxy uptime.

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence2

This mechanism, which can be viewed below and leverages registry run keys, allows for GhostSocks infections to survive restarts, allowing for a more long-lasting proxy uptime.

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

Some of these values are obfuscated using GhostSock’s custom obfuscation algorithm, which splits each string into four (4) byte chunks and then uses arithmetic shifts to reveal the deobfuscated text... After GhostSocks assembles its JSON configuration dictionary, it encrypts the dictionary with XOR using the key “config”

T1036MasqueradingEvidence8

The activity relied on impersonation tactics to appear legitimate. The repository copied public benchmark data from the official release, used search-optimized naming and tags, and copied official branding.

Credential Access

1 technique
T1528Steal Application Access TokenEvidence1

Using this feature, actors are able to easily leverage LummaC2’s “Google Expired Token Refresh” feature in conjunction with the residential proxies to refresh expired Google tokens, even when a victim has changed their password.

Command and Control

6 techniques
T1071Application Layer ProtocolEvidence3

After GhostSocks assembles its JSON configuration dictionary, it encrypts the dictionary with XOR using the key “config” and sends it to one of the C2s contained in its hardcoded C2 list in a basic request... While older samples communicate over HTTP, newer samples have been spotted leveraging HTTPS...

T1090ProxyEvidence6

using a collaboration with GhostSocks, LummaC2 now allows actors to infect victims with reverse proxy binaries to turn their victims into residential proxies.

T1090.003Multi-hop ProxyEvidence1

GhostSocks hijacks the victim’s internet connection to make attacker traffic appear as though it is coming from a regular household user... it uses the SOCKS5 proxy protocol to create a covert communication channel on infected devices, while a relay-based command-and-control (C2) architecture places an intermediary server between the attacker’s real C2 infrastructure and the compromised machine.

T1105Ingress Tool TransferEvidence6

Within four hours, victims were downloading malware associated with Vidar infostealer and GhostSocks proxy malware.

T1568Dynamic ResolutionEvidence1

GhostSocks has the ability to change these C2s on the fly following the initial check-in... GhostSocks also has the ability to insert new IPs if a given IP is taken down, or if a bot is using outdated IPs, allowing for more resilience than a single hardcoded config.

T1573Encrypted ChannelEvidence2

Once GhostSocks receives the relay server IP and port, it opens the same port on its victim machine, establishes connection with the relay server IP for backconnect traffic, and then wraps TLS 1.3 on top of all traffic that it sends and receives from the relay server.

INDICATORS OF COMPROMISE

IOCs tracked for this family

108 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
49 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
56 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in app18 days ago
domain●●●●●●●●●●●●View more in app21 days ago
domain●●●●●●●●●●●●View more in app21 days ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
malware newsNews
Jun 8, 2026
AI brands as bait: How threat actors are using the AI hype in social engineering - Malware News - Malware Analysis, News and Indicators

Additional downstream payload documented in related research as part of the broader fake-AI lure ecosystem alongside Vidar.

Read more
microsoft generalNews
Jun 8, 2026
AI brands as bait: How threat actors are using the AI hype in social engineering | Microsoft Security Blog

Additional downstream malware documented by external research as part of the broader fake-AI lure ecosystem alongside Vidar.

Read more
osint team blogNews
Apr 21, 2026
Why game theory failed to predict the two biggest AI events of 2026 - and my framework didn’t | by Berend Watchus | Apr, 2026 | OSINT Team

Malware distributed through fake repositories themed around the Claude Code leak; likely used to provide covert access or proxy functionality based on its name, but the content does not further specify.

Read more
cyber security newsNews
Apr 4, 2026
Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

GhostSocks is deployed to proxy network traffic, enabling attacker-controlled network access through the compromised host.

Read more
+21 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching108

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping19

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.